- CertiK exposed a vulnerability, extracting $3 million before reporting it to Kraken.
- Kraken patched the bug quickly after the alert from CertiK.
- CertiK has returned the funds after some procedural disputes.
Kraken has successfully reclaimed nearly all of the $3 million taken during a controversial “whitehat” hack orchestrated by blockchain security firm CertiK. Kraken’s Chief Security Officer, Nick Percoco, confirmed the return of funds, with only a small amount lost to transaction fees.
The Whitehat hack highlighted critical issues in ethical hacking practices and the protocols surrounding vulnerability disclosures.
How did the Kraken whitehack hack unfold?
According to the chronology of events detailed by CertiK, the saga began when CertiK identified a serious vulnerability in Kraken’s system that allowed technically adept individuals to inflate their account balances artificially.
Exploiting this flaw, CertiK withdrew $3 million from Kraken’s Treasury as proof of the vulnerability’s severity. Although CertiK reported the issue in June, it acted only after securing the funds, a move that drew significant criticism from Kraken and the wider crypto community.
Kraken swiftly addressed the vulnerability within hours of being informed, ensuring that no client assets were compromised. Percoco emphasized that the security hole was promptly patched, making recurrence impossible.
Despite the quick fix, the manner in which CertiK conducted its operation — particularly its delay in returning the funds — raised serious questions about its adherence to standard whitehat bounty protocols.
CertiK’s unorthodox “whitehat” hack drew criticism
Kraken’s discontent stemmed from CertiK’s failure to follow the established procedures for whitehat activities.
Typically, whitehat hackers report vulnerabilities without extracting excessive funds, returning any taken amounts immediately.
CertiK, however, retained the $3 million until Kraken provided an estimate of the potential risk, an action Kraken perceived as unnecessary and uncooperative.
CertiK defended its approach by claiming that the extensive withdrawal was crucial to thoroughly test Kraken’s security measures and alert systems, which, according to CertiK, failed to trigger alarms even after substantial losses.
Furthermore, CertiK contended that it consistently intended to return the funds and accused Kraken’s security team of pressuring its employees with unrealistic repayment demands and mismatched amounts of cryptocurrency.
Ultimately, the funds were returned, albeit in a different cryptocurrency amount than Kraken had specified.
Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.
— CertiK (@CertiK) June 19, 2024
CertiK maintained that it never sought a bounty for its actions and focused solely on ensuring the vulnerability was resolved.